/* * Copyright 2013 Laurens Vrijnsen * Copyright 2013 gitblit.com. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */package com.gitblit; import java.io.IOException; import java.text.MessageFormat; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.gitblit.models.UserModel; /** * This filter enforces authentication via HTTP Basic Authentication, if the settings indicate so. * It looks at the settings "web.authenticateViewPages" and "web.enforceHttpBasicAuthentication"; if * both are true, any unauthorized access will be met with a HTTP Basic Authentication header. * * @author Laurens Vrijnsen * */ public class EnforceAuthenticationFilter implements Filter { protected transient Logger logger = LoggerFactory.getLogger(getClass()); /* * @see javax.servlet.Filter#init(javax.servlet.FilterConfig) */ @Override public void init(FilterConfig filterConfig) throws ServletException { // nothing to be done } //init /* * This does the actual filtering: is the user authenticated? If not, enforce HTTP authentication (401) * * @see javax.servlet.Filter#doFilter(javax.servlet.ServletRequest, javax.servlet.ServletResponse, javax.servlet.FilterChain) */ @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { /* * Determine whether to enforce the BASIC authentication: */ @SuppressWarnings("static-access") Boolean mustForceAuth = GitBlit.self().getBoolean(Keys.web.authenticateViewPages, false) && GitBlit.self().getBoolean(Keys.web.enforceHttpBasicAuthentication, false); HttpServletRequest HttpRequest = (HttpServletRequest)request; HttpServletResponse HttpResponse = (HttpServletResponse)response; UserModel user = GitBlit.self().authenticate(HttpRequest); if (mustForceAuth && (user == null)) { // not authenticated, enforce now: logger.debug(MessageFormat.format("EnforceAuthFilter: user not authenticated for URL {0}!", request.toString())); @SuppressWarnings("static-access") String CHALLENGE = MessageFormat.format("Basic realm=\"{0}\"", GitBlit.self().getString("web.siteName","")); HttpResponse.setHeader("WWW-Authenticate", CHALLENGE); HttpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED); return; } else { // user is authenticated, or don't care, continue handling chain.doFilter( request, response ); } // authenticated } // doFilter /* * @see javax.servlet.Filter#destroy() */ @Override public void destroy() { // Nothing to be done } // destroy }